Analysis
-
max time kernel
47s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe
Resource
win10v2004-en-20220113
General
-
Target
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe
-
Size
170KB
-
MD5
24e7a4dbcd8dffad8f496711130b2b0a
-
SHA1
0bcc331696e3082bd4743ed335e253b4b40536ba
-
SHA256
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da
-
SHA512
6498e2e85b45a724e1c389ac5cf9388bfa0e784e436fe81ad6f04d3643584f63c020b8c50d20ad118ff2fd98cfa8136fa0a6e5b6da8b870f1968055688918685
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exepid process 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exedescription pid process Token: SeDebugPrivilege 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.execmd.exedescription pid process target process PID 1220 wrote to memory of 4732 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe cmd.exe PID 1220 wrote to memory of 4732 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe cmd.exe PID 1220 wrote to memory of 2336 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe svchost.exe PID 4732 wrote to memory of 1476 4732 cmd.exe reg.exe PID 4732 wrote to memory of 1476 4732 cmd.exe reg.exe PID 1220 wrote to memory of 2344 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe sihost.exe PID 1220 wrote to memory of 2432 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe taskhostw.exe PID 1220 wrote to memory of 2972 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe svchost.exe PID 1220 wrote to memory of 3260 1220 667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe DllHost.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2972
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2432
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe"C:\Users\Admin\AppData\Local\Temp\667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\667e879d7eece2bfbf417698003ddf3b6e2050f7b0e92afd465410012fed03da.exe" /f3⤵PID:1476